Remove the IN6_IS_ADDR_V4MAPPED checks in the protocol functions. They are useless, because the IPv6 entry point (ip6_input) already performs them. The checks were first added in the protocol functions: Wed Dec 22 04:03:02 1999 UTC (18 years, 1 month ago) by itojun "drop IPv6 packets with v4 mapped address on src/dst. they are illegal and may be used to fool IPv6 implementations (by using ::ffff:127.0.0.1 as source you may be able to pretend the packet is from local node)" Shortly afterwards they were also added in the IPv6 entry point, but where not removed from the protocol functions: Mon Jan 31 10:33:22 2000 UTC (18 years ago) by itojun "be proactive about malicious packet on the wire. we fear that v4 mapped address to be used as a tool to hose security filters (like bypassing "local host only" filter by using ::ffff:127.0.0.1)." OpenBSD did the same a few months ago. FreeBSD has never had these checks.diff -r1.368 -r1.369 src/sys/netinet/tcp_input.c
(maxv)
--- src/sys/netinet/tcp_input.c 2018/02/08 19:38:21 1.368
+++ src/sys/netinet/tcp_input.c 2018/02/08 19:58:05 1.369
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: tcp_input.c,v 1.368 2018/02/08 19:38:21 maxv Exp $ */ | 1 | /* $NetBSD: tcp_input.c,v 1.369 2018/02/08 19:58:05 maxv Exp $ */ | |
2 | 2 | |||
3 | /* | 3 | /* | |
4 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | 4 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | |
5 | * All rights reserved. | 5 | * All rights reserved. | |
6 | * | 6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | 7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | 8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | 9 | * are met: | |
10 | * 1. Redistributions of source code must retain the above copyright | 10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, this list of conditions and the following disclaimer. | 11 | * notice, this list of conditions and the following disclaimer. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | 12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | 13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | 14 | * documentation and/or other materials provided with the distribution. | |
@@ -138,27 +138,27 @@ | @@ -138,27 +138,27 @@ | |||
138 | */ | 138 | */ | |
139 | 139 | |||
140 | /* | 140 | /* | |
141 | * TODO list for SYN cache stuff: | 141 | * TODO list for SYN cache stuff: | |
142 | * | 142 | * | |
143 | * Find room for a "state" field, which is needed to keep a | 143 | * Find room for a "state" field, which is needed to keep a | |
144 | * compressed state for TIME_WAIT TCBs. It's been noted already | 144 | * compressed state for TIME_WAIT TCBs. It's been noted already | |
145 | * that this is fairly important for very high-volume web and | 145 | * that this is fairly important for very high-volume web and | |
146 | * mail servers, which use a large number of short-lived | 146 | * mail servers, which use a large number of short-lived | |
147 | * connections. | 147 | * connections. | |
148 | */ | 148 | */ | |
149 | 149 | |||
150 | #include <sys/cdefs.h> | 150 | #include <sys/cdefs.h> | |
151 | __KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.368 2018/02/08 19:38:21 maxv Exp $"); | 151 | __KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.369 2018/02/08 19:58:05 maxv Exp $"); | |
152 | 152 | |||
153 | #ifdef _KERNEL_OPT | 153 | #ifdef _KERNEL_OPT | |
154 | #include "opt_inet.h" | 154 | #include "opt_inet.h" | |
155 | #include "opt_ipsec.h" | 155 | #include "opt_ipsec.h" | |
156 | #include "opt_inet_csum.h" | 156 | #include "opt_inet_csum.h" | |
157 | #include "opt_tcp_debug.h" | 157 | #include "opt_tcp_debug.h" | |
158 | #endif | 158 | #endif | |
159 | 159 | |||
160 | #include <sys/param.h> | 160 | #include <sys/param.h> | |
161 | #include <sys/systm.h> | 161 | #include <sys/systm.h> | |
162 | #include <sys/malloc.h> | 162 | #include <sys/malloc.h> | |
163 | #include <sys/mbuf.h> | 163 | #include <sys/mbuf.h> | |
164 | #include <sys/protosw.h> | 164 | #include <sys/protosw.h> | |
@@ -1302,33 +1302,26 @@ tcp_input(struct mbuf *m, ...) | @@ -1302,33 +1302,26 @@ tcp_input(struct mbuf *m, ...) | |||
1302 | #ifdef INET6 | 1302 | #ifdef INET6 | |
1303 | case 6: | 1303 | case 6: | |
1304 | ip = NULL; | 1304 | ip = NULL; | |
1305 | iphlen = sizeof(struct ip6_hdr); | 1305 | iphlen = sizeof(struct ip6_hdr); | |
1306 | af = AF_INET6; | 1306 | af = AF_INET6; | |
1307 | ip6 = mtod(m, struct ip6_hdr *); | 1307 | ip6 = mtod(m, struct ip6_hdr *); | |
1308 | IP6_EXTHDR_GET(th, struct tcphdr *, m, toff, | 1308 | IP6_EXTHDR_GET(th, struct tcphdr *, m, toff, | |
1309 | sizeof(struct tcphdr)); | 1309 | sizeof(struct tcphdr)); | |
1310 | if (th == NULL) { | 1310 | if (th == NULL) { | |
1311 | TCP_STATINC(TCP_STAT_RCVSHORT); | 1311 | TCP_STATINC(TCP_STAT_RCVSHORT); | |
1312 | return; | 1312 | return; | |
1313 | } | 1313 | } | |
1314 | 1314 | |||
1315 | /* Be proactive about malicious use of IPv4 mapped address */ | |||
1316 | if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || | |||
1317 | IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { | |||
1318 | /* XXX stat */ | |||
1319 | goto drop; | |||
1320 | } | |||
1321 | ||||
1322 | /* | 1315 | /* | |
1323 | * Be proactive about unspecified IPv6 address in source. | 1316 | * Be proactive about unspecified IPv6 address in source. | |
1324 | * As we use all-zero to indicate unbounded/unconnected pcb, | 1317 | * As we use all-zero to indicate unbounded/unconnected pcb, | |
1325 | * unspecified IPv6 address can be used to confuse us. | 1318 | * unspecified IPv6 address can be used to confuse us. | |
1326 | * | 1319 | * | |
1327 | * Note that packets with unspecified IPv6 destination is | 1320 | * Note that packets with unspecified IPv6 destination is | |
1328 | * already dropped in ip6_input. | 1321 | * already dropped in ip6_input. | |
1329 | */ | 1322 | */ | |
1330 | if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { | 1323 | if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { | |
1331 | /* XXX stat */ | 1324 | /* XXX stat */ | |
1332 | goto drop; | 1325 | goto drop; | |
1333 | } | 1326 | } | |
1334 | 1327 |
--- src/sys/netinet6/raw_ip6.c 2018/02/01 15:53:16 1.161
+++ src/sys/netinet6/raw_ip6.c 2018/02/08 19:58:05 1.162
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: raw_ip6.c,v 1.161 2018/02/01 15:53:16 maxv Exp $ */ | 1 | /* $NetBSD: raw_ip6.c,v 1.162 2018/02/08 19:58:05 maxv Exp $ */ | |
2 | /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ | 2 | /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ | |
3 | 3 | |||
4 | /* | 4 | /* | |
5 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | 5 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | |
6 | * All rights reserved. | 6 | * All rights reserved. | |
7 | * | 7 | * | |
8 | * Redistribution and use in source and binary forms, with or without | 8 | * Redistribution and use in source and binary forms, with or without | |
9 | * modification, are permitted provided that the following conditions | 9 | * modification, are permitted provided that the following conditions | |
10 | * are met: | 10 | * are met: | |
11 | * 1. Redistributions of source code must retain the above copyright | 11 | * 1. Redistributions of source code must retain the above copyright | |
12 | * notice, this list of conditions and the following disclaimer. | 12 | * notice, this list of conditions and the following disclaimer. | |
13 | * 2. Redistributions in binary form must reproduce the above copyright | 13 | * 2. Redistributions in binary form must reproduce the above copyright | |
14 | * notice, this list of conditions and the following disclaimer in the | 14 | * notice, this list of conditions and the following disclaimer in the | |
@@ -52,27 +52,27 @@ | @@ -52,27 +52,27 @@ | |||
52 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | 52 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | |
53 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | 53 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
54 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | 54 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
55 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | 55 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
56 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | 56 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
57 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | 57 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
58 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 58 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
59 | * SUCH DAMAGE. | 59 | * SUCH DAMAGE. | |
60 | * | 60 | * | |
61 | * @(#)raw_ip.c 8.2 (Berkeley) 1/4/94 | 61 | * @(#)raw_ip.c 8.2 (Berkeley) 1/4/94 | |
62 | */ | 62 | */ | |
63 | 63 | |||
64 | #include <sys/cdefs.h> | 64 | #include <sys/cdefs.h> | |
65 | __KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.161 2018/02/01 15:53:16 maxv Exp $"); | 65 | __KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.162 2018/02/08 19:58:05 maxv Exp $"); | |
66 | 66 | |||
67 | #ifdef _KERNEL_OPT | 67 | #ifdef _KERNEL_OPT | |
68 | #include "opt_ipsec.h" | 68 | #include "opt_ipsec.h" | |
69 | #include "opt_net_mpsafe.h" | 69 | #include "opt_net_mpsafe.h" | |
70 | #endif | 70 | #endif | |
71 | 71 | |||
72 | #include <sys/param.h> | 72 | #include <sys/param.h> | |
73 | #include <sys/sysctl.h> | 73 | #include <sys/sysctl.h> | |
74 | #include <sys/mbuf.h> | 74 | #include <sys/mbuf.h> | |
75 | #include <sys/socket.h> | 75 | #include <sys/socket.h> | |
76 | #include <sys/protosw.h> | 76 | #include <sys/protosw.h> | |
77 | #include <sys/socketvar.h> | 77 | #include <sys/socketvar.h> | |
78 | #include <sys/systm.h> | 78 | #include <sys/systm.h> | |
@@ -152,34 +152,26 @@ rip6_input(struct mbuf **mp, int *offp, | @@ -152,34 +152,26 @@ rip6_input(struct mbuf **mp, int *offp, | |||
152 | struct sockaddr_in6 rip6src; | 152 | struct sockaddr_in6 rip6src; | |
153 | struct mbuf *opts = NULL; | 153 | struct mbuf *opts = NULL; | |
154 | 154 | |||
155 | RIP6_STATINC(RIP6_STAT_IPACKETS); | 155 | RIP6_STATINC(RIP6_STAT_IPACKETS); | |
156 | 156 | |||
157 | #if defined(NFAITH) && 0 < NFAITH | 157 | #if defined(NFAITH) && 0 < NFAITH | |
158 | if (faithprefix(&ip6->ip6_dst)) { | 158 | if (faithprefix(&ip6->ip6_dst)) { | |
159 | /* send icmp6 host unreach? */ | 159 | /* send icmp6 host unreach? */ | |
160 | m_freem(m); | 160 | m_freem(m); | |
161 | return IPPROTO_DONE; | 161 | return IPPROTO_DONE; | |
162 | } | 162 | } | |
163 | #endif | 163 | #endif | |
164 | 164 | |||
165 | /* Be proactive about malicious use of IPv4 mapped address */ | |||
166 | if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || | |||
167 | IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { | |||
168 | /* XXX stat */ | |||
169 | m_freem(m); | |||
170 | return IPPROTO_DONE; | |||
171 | } | |||
172 | ||||
173 | sockaddr_in6_init(&rip6src, &ip6->ip6_src, 0, 0, 0); | 165 | sockaddr_in6_init(&rip6src, &ip6->ip6_src, 0, 0, 0); | |
174 | if (sa6_recoverscope(&rip6src) != 0) { | 166 | if (sa6_recoverscope(&rip6src) != 0) { | |
175 | /* XXX: should be impossible. */ | 167 | /* XXX: should be impossible. */ | |
176 | m_freem(m); | 168 | m_freem(m); | |
177 | return IPPROTO_DONE; | 169 | return IPPROTO_DONE; | |
178 | } | 170 | } | |
179 | 171 | |||
180 | TAILQ_FOREACH(inph, &raw6cbtable.inpt_queue, inph_queue) { | 172 | TAILQ_FOREACH(inph, &raw6cbtable.inpt_queue, inph_queue) { | |
181 | in6p = (struct in6pcb *)inph; | 173 | in6p = (struct in6pcb *)inph; | |
182 | if (in6p->in6p_af != AF_INET6) | 174 | if (in6p->in6p_af != AF_INET6) | |
183 | continue; | 175 | continue; | |
184 | if (in6p->in6p_ip6.ip6_nxt && | 176 | if (in6p->in6p_ip6.ip6_nxt && | |
185 | in6p->in6p_ip6.ip6_nxt != proto) | 177 | in6p->in6p_ip6.ip6_nxt != proto) |
--- src/sys/netinet6/udp6_usrreq.c 2018/02/08 11:49:37 1.133
+++ src/sys/netinet6/udp6_usrreq.c 2018/02/08 19:58:05 1.134
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: udp6_usrreq.c,v 1.133 2018/02/08 11:49:37 maxv Exp $ */ | 1 | /* $NetBSD: udp6_usrreq.c,v 1.134 2018/02/08 19:58:05 maxv Exp $ */ | |
2 | /* $KAME: udp6_usrreq.c,v 1.86 2001/05/27 17:33:00 itojun Exp $ */ | 2 | /* $KAME: udp6_usrreq.c,v 1.86 2001/05/27 17:33:00 itojun Exp $ */ | |
3 | /* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */ | 3 | /* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */ | |
4 | 4 | |||
5 | /* | 5 | /* | |
6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | 6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | |
7 | * All rights reserved. | 7 | * All rights reserved. | |
8 | * | 8 | * | |
9 | * Redistribution and use in source and binary forms, with or without | 9 | * Redistribution and use in source and binary forms, with or without | |
10 | * modification, are permitted provided that the following conditions | 10 | * modification, are permitted provided that the following conditions | |
11 | * are met: | 11 | * are met: | |
12 | * 1. Redistributions of source code must retain the above copyright | 12 | * 1. Redistributions of source code must retain the above copyright | |
13 | * notice, this list of conditions and the following disclaimer. | 13 | * notice, this list of conditions and the following disclaimer. | |
14 | * 2. Redistributions in binary form must reproduce the above copyright | 14 | * 2. Redistributions in binary form must reproduce the above copyright | |
@@ -53,27 +53,27 @@ | @@ -53,27 +53,27 @@ | |||
53 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | 53 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | |
54 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | 54 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
55 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | 55 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
56 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | 56 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
57 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | 57 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
58 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | 58 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
59 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 59 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
60 | * SUCH DAMAGE. | 60 | * SUCH DAMAGE. | |
61 | * | 61 | * | |
62 | * @(#)udp_var.h 8.1 (Berkeley) 6/10/93 | 62 | * @(#)udp_var.h 8.1 (Berkeley) 6/10/93 | |
63 | */ | 63 | */ | |
64 | 64 | |||
65 | #include <sys/cdefs.h> | 65 | #include <sys/cdefs.h> | |
66 | __KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.133 2018/02/08 11:49:37 maxv Exp $"); | 66 | __KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.134 2018/02/08 19:58:05 maxv Exp $"); | |
67 | 67 | |||
68 | #ifdef _KERNEL_OPT | 68 | #ifdef _KERNEL_OPT | |
69 | #include "opt_inet.h" | 69 | #include "opt_inet.h" | |
70 | #include "opt_inet_csum.h" | 70 | #include "opt_inet_csum.h" | |
71 | #include "opt_ipsec.h" | 71 | #include "opt_ipsec.h" | |
72 | #include "opt_net_mpsafe.h" | 72 | #include "opt_net_mpsafe.h" | |
73 | #endif | 73 | #endif | |
74 | 74 | |||
75 | #include <sys/param.h> | 75 | #include <sys/param.h> | |
76 | #include <sys/mbuf.h> | 76 | #include <sys/mbuf.h> | |
77 | #include <sys/protosw.h> | 77 | #include <sys/protosw.h> | |
78 | #include <sys/socket.h> | 78 | #include <sys/socket.h> | |
79 | #include <sys/socketvar.h> | 79 | #include <sys/socketvar.h> | |
@@ -602,33 +602,26 @@ udp6_input(struct mbuf **mp, int *offp, | @@ -602,33 +602,26 @@ udp6_input(struct mbuf **mp, int *offp, | |||
602 | */ | 602 | */ | |
603 | if (ulen == 0 && plen > 0xffff) | 603 | if (ulen == 0 && plen > 0xffff) | |
604 | ulen = plen; | 604 | ulen = plen; | |
605 | 605 | |||
606 | if (plen != ulen) { | 606 | if (plen != ulen) { | |
607 | UDP6_STATINC(UDP6_STAT_BADLEN); | 607 | UDP6_STATINC(UDP6_STAT_BADLEN); | |
608 | goto bad; | 608 | goto bad; | |
609 | } | 609 | } | |
610 | 610 | |||
611 | /* destination port of 0 is illegal, based on RFC768. */ | 611 | /* destination port of 0 is illegal, based on RFC768. */ | |
612 | if (uh->uh_dport == 0) | 612 | if (uh->uh_dport == 0) | |
613 | goto bad; | 613 | goto bad; | |
614 | 614 | |||
615 | /* Be proactive about malicious use of IPv4 mapped address */ | |||
616 | if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || | |||
617 | IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { | |||
618 | /* XXX stat */ | |||
619 | goto bad; | |||
620 | } | |||
621 | ||||
622 | /* | 615 | /* | |
623 | * Checksum extended UDP header and data. Maybe skip checksum | 616 | * Checksum extended UDP header and data. Maybe skip checksum | |
624 | * on loopback interfaces. | 617 | * on loopback interfaces. | |
625 | */ | 618 | */ | |
626 | if (udp6_input_checksum(m, uh, off, ulen)) | 619 | if (udp6_input_checksum(m, uh, off, ulen)) | |
627 | goto bad; | 620 | goto bad; | |
628 | 621 | |||
629 | /* | 622 | /* | |
630 | * Construct source and dst sockaddrs. | 623 | * Construct source and dst sockaddrs. | |
631 | */ | 624 | */ | |
632 | memset(&src, 0, sizeof(src)); | 625 | memset(&src, 0, sizeof(src)); | |
633 | src.sin6_family = AF_INET6; | 626 | src.sin6_family = AF_INET6; | |
634 | src.sin6_len = sizeof(struct sockaddr_in6); | 627 | src.sin6_len = sizeof(struct sockaddr_in6); |